Best Guide To Configure App Registration In Microsoft Entra

This post will help you understand and create an App Registration In Microsoft Entra for your tenant and explain why this is important. Entra ID app registration is generally used by developers who work with the Entra ID platform and get access using user accounts and groups. Those accesses are based on one or more API permissions in Entra apps.

The Microsoft identity platform can use app registration for identity and access management checks. Entra application registration establishes a trust between the tenant-registered app and the Microsoft identity platform. This is unidirectional trust: The Entra app trusts the Microsoft Identity platform, not vice versa. Once created, we cannot move the Application object between different tenants.

Every Entra App registration needs to be granted some API permissions. After that, only the application or service can access anything as an authenticated user in the Azure tenant. Without API permissions, the app cannot access the resource in the Azure tenant.

After the API permissions are assigned, the same permissions need to be approved, and consent must be obtained from the administrator user before getting desired access such as Device.read. A user with at least a “Cloud Application administrator” can grant admin consent on delegated permissions.

Patch My PC
Best guide to configure App Registration in Microsoft Entra - Figure 01
Best guide to configure App Registration in Microsoft Entra – Figure 01

Before You Get Started

Ensure you have “Application. read-write. all” permissions to register an app and assign it a role in Azure. App registration in Entra will require an Application. Read-write. all access, and the “Cloud application administrator” must grant admin consent on API permissions assigned to the App.

How To Create App Registration In Microsoft Entra

Let’s create a test app registration. We can use Azure portal, Powershell, or Microsoft Graph to create app registration. We are going to use the GUI method directly from the Azure portal. Microsoft App registration supports Authentication via user credentials and Certificate-based authentication. Certification-based authentication will require a self-signed certificate.

Adaptiva
Best guide to configure App Registration in Microsoft Entra - Figure 02
Best guide to configure App Registration in Microsoft Entra – Figure 02

On the Microsoft Entra ID page, scroll down and select App registrations from the portal. Click on the new registration tab on the right pane. This will open the “Register an Application” pane where we can enter application details.

Best Guide To Configure App Registration In Microsoft Entra Fig03
Best guide to configure App Registration in Microsoft Entra – Figure 03

Enter the name for the application you want, for testing we are providing the “Test App Registration” name to our application. We can also specify who can use the application, i.e., single or multitenant accounts. (we have selected “Accounts in this organizational directory only”)

Best guide to configure App Registration in Microsoft Entra - Figure 04
Best guide to configure App Registration in Microsoft Entra – Figure 04

Once the application registration is done, we can find the Application (client) ID and Object (tenant) ID in the overview tab. Note down the Application ID and Tenant ID to use later if required.

Best guide to configure App Registration in Microsoft Entra - Figure 05
Best guide to configure App Registration in Microsoft Entra – Figure 05

Configure API Permissions On Entra App Registration

Entra App registration needs to be granted some API permissions. After that, only the application or service can access anything as an authenticated user in the Azure tenant. Without API permissions, the app cannot access the resource in the Azure tenant. Once the API permissions are assigned, the same needs to get consent from the Administrator user before getting the desired access, like Device.read. We will assign the API permissions to the test App registration for device management.

API Permissions Assigned
DeviceManagementApps.ReadWrite.All
DeviceManagementConfiguration.ReadWrite.All
DeviceManagementManagedDevices.ReadWrite.All
DeviceManagementServiceConfig.ReadWrite.All
User.Read
Best Guide To Configure App Registration In Microsoft Entra – Table 01
  • Let’s configure API permissions for the app
  • Select the API Permissions tab on the Test App and add permissions
  • Add delegated permissions on the application.
  • We are configuring this app to utilise with Intune, hence assigning device management permissions.
Best guide to configure App Registration in Microsoft Entra - Figure 06
Best guide to configure App Registration in Microsoft Entra – Figure 06

Setup Authentication Method For App Registration

The last step in the app registration process is adding an authentication method, which will be used to access this application. This ensures that only authorized users connect with the application via an approved authentication method.

  • Go to the Authentication tab on the test App created
  • Add a platform > Mobile and desktop application
Best Guide To Configure App Registration In Microsoft Entra Fig07
Best guide to configure App Registration in Microsoft Entra – Figure 07

Configure the Redirect URL for our app. If you don’t have any custom redirect URL configured, select “https://login.microsoftonline.com/common/oauth2/nativeclient” for the native client authentication method for Microsoft accounts. You can use any custom redirect URL as well. More information on Microsoft Redirect URL

Best Guide To Configure App Registration In Microsoft Entra Fig08
Best guide to configure App Registration in Microsoft Entra – Figure 08

The Entra App registration will be completed successfully once you complete the above configuration on Azure. The following post will show how we can utilize the Entra app registration to access the tenant services using Microsoft Graph.

I hope this post was beneficial for you. I appreciate your patience in reading this post.

Need Further Assistance or Have Technical Questions?

Join the LinkedIn Page and Telegram group to get the latest step-by-step guides and news updates. Join our Meetup Page to participate in User group meetings. Also, Join the WhatsApp Community to get the latest news on Microsoft Technologies. We are there on Reddit as well.

Author

Sachin Chauhan is a Microsoft-certified professional and Modern device management consultant with over 10 years of experience in Microsoft technologies like MECM, Intune, Windows, Autopilot, Operating system deployments and management, Azure, and PowerShell Automation.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.